It doesn’t have to be. I find myself asking what it really means to have enough security. As you can imagine, it comes up frequently with customers and prospects. They want to know that we take security seriously and that their data and intellectual property are safe. We take security extremely seriously and take great pains and expense to provide as much as we can. The question I don’t know the answer to is what contitutes enough.
There are so many shades of gray on this topic, it is mind boggling. There is one prevailing standard out there right now called SAS 70. However, you must spend tens of thousands of dollars to have a auditor come in and assess the technology, process, segregation of duties, etc. and provide their blessing. In fact, it is more of an audit than a true look at technology. You could have the most rock solid technology stack in existence, and still not qualify for SAS 70 if there is an issue with segregation of duties as an example. Moreover, the auditors are usually not technology experts and focus far more on process and responsibilities.
This is one area where a lack of SaaS or cloud computing standards hurts. Some of the things we do at GroupSwim include:
- All login and credential pages utilize Secure Socket Layer (SSL)
- SSL available for entire site
- Email authentication for all users
- Password hashing
- Session level security
- Files stored and encrypted using Amazon S3 service
There is much more we do. We believe our security architecture and processes are rock solid, but will continue to innovate and invest, just like we do with our product features. I’m hoping the industry will eventually coalesce around a common set of standards. In the meantime, companies like ours will continue to provide security to the best of our availablity. What do you think constitutes solid security? How can companies like ours prove it?
